CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2022-03 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-13 • CWE-613: Insufficient Session Expiration •
CVE-2012-2582 – OTRS Open Technology Real Services 3.1.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2582
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) Help Desk v2.4.x anterior a v2.4.13, v3.0.x anterior a v3.0.15, y v3.1.x anterior a v3.1.9, y OTRS ITSM v2.1.x anterior a v2.1.5, v3.0.x anterior a v3.0.6, y v3.1.x anterior a v3.1.6, permite a atacantes remotos inyectar código web o HTML arbitrario a través del cuerpo de un mensaje de correo electrónico con (1)una propiedad de una expresión en un atributo STYLE de un elemento arbitrario o (2) texto UTF-7 en un elemento META HTTP-EQUIV="CONTENT-TYPE". • https://www.exploit-db.com/exploits/20359 http://lists.opensuse.org/opensuse-updates/2012-09/msg00024.html http://secunia.com/advisories/50513 http://www.debian.org/security/2012/dsa-2536 http://www.kb.cert.org/vuls/id/582879 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-2746
https://notcve.org/view.php?id=CVE-2011-2746
Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors. Vulnerabilidad no especificada en Kernel/Modules/AdminPackageManager.pm en OTRS-Core en Open Ticket Request System (OTRS) v2.x antes de v2.4.11 y v3.x antes de v3.0.10. permite a administradores autenticados remotamente leer archivos de su elección a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-updates/2011-09/msg00011.html http://otrs.org/advisory/OSA-2011-03-en http://secunia.com/advisories/45701 http://secunia.com/advisories/45894 http://www.osvdb.org/74602 http://www.securityfocus.com/bid/49251 •